Android Auto - playing song name

[serdar_18fr]

Hello all,

When I connect my phone via Bluetooth and play a song on Spotify, I can see the song name on instrument cluster.
But when I connect via Full Link, it doesn't show song name, I see only "Android Auto", as you can see in the attached photos.

My 2018 FR has MIB2 Std and first gen digital instrument cluster.
Is it any different in MIB2 High units and/or revision A/B clusters?
Is there anything that can be done for it to show song name also in Full Link?

Cheers,
Serdar

 

[Chillout]

This has been one of my main frustrations for a LONG time... I hope to have a fix for it some time soon, but currently it's not yet possible to change it.

 

[serdar_18fr]

This has been one of my main frustrations for a LONG time... I hope to have a fix for it some time soon, but currently it's not yet possible to change it.

This looks like a real oversight & big laziness on SEAT's side. I'm a software developer and I know how easy things like this are these days, using the exposed APIs by device manufacturers & app developers. What a shame.

 

[Chillout]

This looks like a real oversight & big laziness on SEAT's side. I'm a software developer and I know how easy things like this are these days, using the exposed APIs by device manufacturers & app developers. What a shame.

I totally agree.. total lazyness. They could even report the Google Maps/Waze instructions to the AID, but they just didn't....
I'm currently writing a small test tool to exploit the Exlap interface. It's one of the protocols VW uses for communication inside the car. The MIB has a REST API interface on port 25010. Exlap allows for reading of data and sending commands back, hopefully I'll be able to push some data to the AID.

 

[serdar_18fr]

I totally agree.. total lazyness. They could even report the Google Maps/Waze instructions to the AID, but they just didn't....
I'm currently writing a small test tool to exploit the Exlap interface. It's one of the protocols VW uses for communication inside the car. The MIB has a REST API interface on port 25010. Exlap allows for reading of data and sending commands back, hopefully I'll be able to push some data to the AID.

I also found the design of the AID interface inconsistent, in terms of customizability, what can be shown & where, etc. It needs a lot of improvement or a total re-design.

By the way, I'd be more than happy to hear about the results of your work.

 

[Chillout]

Testing is a bit hard, because I don't want to test and debug inside a hot car
At first, I started with some simple curl requests:

curl -i http://192.168.155.206:25010

curl: (1) Received HTTP/0.9 when not allowed

It turns out, curl can't handle the xml data that came back, but this was working:

curl --http0.9 -i http://192.168.155.206:25010

<Status>
  <Init/>
</Status>

Look at the included PDF, you'll see this is regular output when sending no data.
So I made a POST request with some XML data:

curl --http0.9 -X POST http://192.168.155.206:25010 -H "Content-Type: application/xml" -H "Accept: application/xml" -d "<Req id='1'><Protocol version='1' returnCapabilities='true'/></Req>"

<Status>
  <Init/>
</Status>
<Rsp id="1">
  <Capabilities description="Dies ist der VW Standard Application Interface Server. API Level 5" service="VW SAI-Server HIGH" version="5.0" id="CENSORED">
    <Supports protocol="1.3" interface="true" authenticate="true" heartbeat="true" datTimeStamp="true"/>
  </Capabilities>
</Rsp>

Pretty cool, that's the system actually replying with something sensible!
I had a look at the exlap specs, and next I sent a message to get a listing of supported URLs, by using the DIR command.:

curl --http0.9 -X POST http://192.168.155.206:25010 -H "Content-Type: application/xml" -H "Accept: application/xml" -d "<Req id='4'><Dir/></Req>"

<Status>
  <Init/>
</Status>
<Rsp id="4">
  <UrlList>
    <Match url="vehicleIdenticationNumber"/>
  </UrlList>
</Rsp>

Not much to see there, besides the VIN, but I could query it:

curl --http0.9 -X POST http://192.168.155.206:25010 -H "Content-Type: application/xml" -H "Accept: application/xml" -d "<Req id='11'><Subscribe url='vehicleIdenticationNumber' ival='800'/></Req>"
<Status>
  <Init/>
</Status>
<Rsp id="11"/>
<Dat url="vehicleIdenticationNumber">
  <Txt name="VIN" val="CENSORED"/>
</Dat>

I know there are more data elements available, so I tried one of them:

curl --http0.9 -X POST http://192.168.155.206:25010 -H "Content-Type: application/xml" -H "Accept: application/xml" -d "<Req id='11'><Subscribe url='engineSpeed' ival='800'/></Req>"
<Status>
  <Init/>
</Status>
<Rsp id="11" status="noMatchingUrl"/>

I guess I need some authentication. Here's the funny part: they've changed the authentication since the specs were written, and user authentication is now done as follows:

base64(sha256(username:password:nonce:cnonce))

Upon sending an authentication request, the server will reply with a nonce, which you have to reply to by supplying an answer. So I made a simple calculator that would generate the digest value, and tried to authenticate myself:

curl --http0.9 -X POST http://192.168.155.206:25010 -H "Content-Type: application/xml" -H "Accept: application/xml" -d "<Req id='2'><Authenticate phase='challenge'/></Req>
> "
<Status>
  <Init/>
</Status>
<Rsp id="2">
  <Challenge nonce="xwtCCB+nScrcBK3epfEcTg=="/>
</Rsp>

But.. then there was a catch.. curl kept the connection open after this response, and didn't allow me to send a new request... I had to CTRL-C out of curl, to send the reply:

curl --http0.9 -X POST http://192.168.155.206:25010 -H "Content-Type: application/xml" -H "Accept: application/xml" -d "<Req id='3'><Authenticate phase='response' cnonce='qdnpqMqBRpVneAc/PP2mHQ==' digest='JuqGXLFDgG3AhCdn0qlC3nbinZu26m3z2zGluyE1Nv4=' user='RSE_3-DE1400'/></Req>"
<Status>
  <Init/>
</Status>
<Rsp id="3" status="error" msg="response has to be preceeded by challenge"/>

As you can see, a new session was initiated, and therefore my previous authentication nonce was no longer valid. I had no idea how to continue doing this with curl, so I tried some other options... Postman, Insomnia, SoapUI all didn't really like the XML response from the server, which sucks, as there's no way to see the exact raw value inside the tools when they cannot parse the response.

So.... now I'm writing a small websockets client in Python, so I can keep on sending and receiving data while keeping the socket open.
After that, the plan is as follows:
- Try all known username passwords I've found inside VW/Seat/Skoda/Audi apps that use Exlap data
- See if there's any difference in output on the DIR command. I hope the devs were sloppy and some of the public users have more rights than others.
- Then I'll try to find the function to update some data like song title or connected bluetooth client name. If that works, hopefully we'll be able to override the "Android Auto" title there.


Sidenote: I did a lot of research to find where the MIB is actually getting the "Android Auto" string from. I replaced all of the Android Auto strings inside the language file on the MIB, but that didn't do the trick... let's hope this method works.

 

[serdar_18fr]

....
So.... now I'm writing a small websockets client in Python, so I can keep on sending and receiving data while keeping the socket open.
After that, the plan is as follows:
- Try all known username passwords I've found inside VW/Seat/Skoda/Audi apps that use Exlap data
- See if there's any difference in output on the DIR command. I hope the devs were sloppy and some of the public users have more rights than others.
- Then I'll try to find the function to update some data like song title or connected bluetooth client name. If that works, hopefully we'll be able to override the "Android Auto" title there.


Sidenote: I did a lot of research to find where the MIB is actually getting the "Android Auto" string from. I replaced all of the Android Auto strings inside the language file on the MIB, but that didn't do the trick... let's hope this method works.

Thank you very much for all the info. ?

I've just read some parts of the protocol document and immediately excited to give it a go myself.

Two questions though:

1. Assuming you've been using a Linux laptop, what is the physical connection setup between the computer and the infotainment unit like?
2. To override the "Android Auto" string with the song name etc. I think one has to put some code of theirs on the unit and get it to work. Do you think that would be possible?

Anyway, that's a very good start ?
I'll be looking into it too once I set up the physical connection.

As for replacing the "Android Auto" string, it may not be a string resource in language file or a constant in the unit's executable but a string received from Android Auto app running on the mobile device that's connected, at the runtime.

Cheers,
Serdar

 

[Chillout]

Thank you very much for all the info. ?

I've just read some parts of the protocol document and immediately excited to give it a go myself.

Thanks!

Two questions though:

1. Assuming you've been using a Linux laptop, what is the physical connection setup between the computer and the infotainment unit like?

I currently connect over WLAN. My infotainment unit connect to my phone's accesspoint, and my laptop is a wifi client on the same network. Then I can do whatever I need.

2. To override the "Android Auto" string with the song name etc. I think one has to put some code of theirs on the unit and get it to work. Do you think that would be possible?

I have a suspicion that there's already some useful endpoint we can use to do this. Fingers crossed! Cheers!

 

[Chillout]

Doing some sniffing on network traffic on some VAG apps today. VW Media control acts like a remote control to the MIB, which means there's indeed more to the Exlap channel than just reading out data, also controlling it ??? a step closer.

 

[serdar_18fr]

Doing some sniffing on network traffic on some VAG apps today. VW Media control acts like a remote control to the MIB, which means there's indeed more to the Exlap channel than just reading out data, also controlling it ??? a step closer.

Looking forward to hear more from you!
Thinking about taking my laptop to the car with me today, if kids let me have some free time of my own on a Sunday

 

[serdar_18fr]

Testing is a bit hard, because I don't want to test and debug inside a hot car
At first, I started with some simple curl requests:

curl -i http://192.168.155.206:25010

curl: (1) Received HTTP/0.9 when not allowed

It turns out, curl can't handle the xml data that came back, but this was working:

curl --http0.9 -i http://192.168.155.206:25010

<Status>
  <Init/>
</Status>

Look at the included PDF, you'll see this is regular output when sending no data.
So I made a POST request with some XML data:

curl --http0.9 -X POST http://192.168.155.206:25010 -H "Content-Type: application/xml" -H "Accept: application/xml" -d "<Req id='1'><Protocol version='1' returnCapabilities='true'/></Req>"

<Status>
  <Init/>
</Status>
<Rsp id="1">
  <Capabilities description="Dies ist der VW Standard Application Interface Server. API Level 5" service="VW SAI-Server HIGH" version="5.0" id="CENSORED">
    <Supports protocol="1.3" interface="true" authenticate="true" heartbeat="true" datTimeStamp="true"/>
  </Capabilities>
</Rsp>

Pretty cool, that's the system actually replying with something sensible!
I had a look at the exlap specs, and next I sent a message to get a listing of supported URLs, by using the DIR command.:

curl --http0.9 -X POST http://192.168.155.206:25010 -H "Content-Type: application/xml" -H "Accept: application/xml" -d "<Req id='4'><Dir/></Req>"

<Status>
  <Init/>
</Status>
<Rsp id="4">
  <UrlList>
    <Match url="vehicleIdenticationNumber"/>
  </UrlList>
</Rsp>

Not much to see there, besides the VIN, but I could query it:

curl --http0.9 -X POST http://192.168.155.206:25010 -H "Content-Type: application/xml" -H "Accept: application/xml" -d "<Req id='11'><Subscribe url='vehicleIdenticationNumber' ival='800'/></Req>"
<Status>
  <Init/>
</Status>
<Rsp id="11"/>
<Dat url="vehicleIdenticationNumber">
  <Txt name="VIN" val="CENSORED"/>
</Dat>

I know there are more data elements available, so I tried one of them:

curl --http0.9 -X POST http://192.168.155.206:25010 -H "Content-Type: application/xml" -H "Accept: application/xml" -d "<Req id='11'><Subscribe url='engineSpeed' ival='800'/></Req>"
<Status>
  <Init/>
</Status>
<Rsp id="11" status="noMatchingUrl"/>

I guess I need some authentication. Here's the funny part: they've changed the authentication since the specs were written, and user authentication is now done as follows:

base64(sha256(username:password:nonce:cnonce))

Upon sending an authentication request, the server will reply with a nonce, which you have to reply to by supplying an answer. So I made a simple calculator that would generate the digest value, and tried to authenticate myself:

curl --http0.9 -X POST http://192.168.155.206:25010 -H "Content-Type: application/xml" -H "Accept: application/xml" -d "<Req id='2'><Authenticate phase='challenge'/></Req>
> "
<Status>
  <Init/>
</Status>
<Rsp id="2">
  <Challenge nonce="xwtCCB+nScrcBK3epfEcTg=="/>
</Rsp>

But.. then there was a catch.. curl kept the connection open after this response, and didn't allow me to send a new request... I had to CTRL-C out of curl, to send the reply:

curl --http0.9 -X POST http://192.168.155.206:25010 -H "Content-Type: application/xml" -H "Accept: application/xml" -d "<Req id='3'><Authenticate phase='response' cnonce='qdnpqMqBRpVneAc/PP2mHQ==' digest='JuqGXLFDgG3AhCdn0qlC3nbinZu26m3z2zGluyE1Nv4=' user='RSE_3-DE1400'/></Req>"
<Status>
  <Init/>
</Status>
<Rsp id="3" status="error" msg="response has to be preceeded by challenge"/>

As you can see, a new session was initiated, and therefore my previous authentication nonce was no longer valid. I had no idea how to continue doing this with curl, so I tried some other options... Postman, Insomnia, SoapUI all didn't really like the XML response from the server, which sucks, as there's no way to see the exact raw value inside the tools when they cannot parse the response.

So.... now I'm writing a small websockets client in Python, so I can keep on sending and receiving data while keeping the socket open.
After that, the plan is as follows:
- Try all known username passwords I've found inside VW/Seat/Skoda/Audi apps that use Exlap data
- See if there's any difference in output on the DIR command. I hope the devs were sloppy and some of the public users have more rights than others.
- Then I'll try to find the function to update some data like song title or connected bluetooth client name. If that works, hopefully we'll be able to override the "Android Auto" title there.


Sidenote: I did a lot of research to find where the MIB is actually getting the "Android Auto" string from. I replaced all of the Android Auto strings inside the language file on the MIB, but that didn't do the trick... let's hope this method works.

Hi there,

Today I brought my laptop to the car, hoping to try & get some response from the infotainment unit, using the pointers you gave me a while back.

My first disappointment was to see that there is no WLAN/Hotspot option in my MIB2 Std unit. I don't know if the hardware is simply not capable of the feature or it is just disabled (and it would be possible to enable via some coding?). Any info on this would be greatly appreciated.

Later I connected my phone through the USB cable and let the Android Auto connect. I thought this could possibly give me another chance to communicate with the MIB2 over my phone's hotspot, to which my laptop is connected. I tried to scan the 192.168.168.0 network (Phone's hotspot gave the laptop an address from this network) to catch an IP address, without luck.

Finally and without any hope, I tried to connect to 192.168.155.206 (The address in your examples) directly via port 25010 using telnet and it is connected right away! Then I disconnected, knowing that there's nothing more I can do over telnet. Unfortunately, none of my subsequent connection attempts using the same method was successful. I thought maybe there's some protection feature on the MIB2 side, blocking IP/MAC addresses which had unsuccessful connection attempts.

By the way, I'm surprised that I was able to make a successful connection with 192.168.155.206:25010. This should mean that MIB2's IP address is static and reachable over a different IP block, using the phone as a gateway, I guess.

Tomorrow I'm going to bring another laptop to the car, try the same connection attempt and to see if it would respond to another IP/MAC address.

What are your thoughts about this experience of mine ?

Cheers,

Serdar

 

[serdar_18fr]

Hi @Chillout,
I wonder whether you have ever seen my last post in this thread, from about a year ago.
I'll be grateful if you take a look & respond to it.
Cheers,
Serdar